SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm – 3:00 pm

SHARKFEST '09 | Stanford University | June 15–18, 2009 Overview What are the challenges of managing 10 Gig links? How can we overcome these challenges? How can I use WireShark at 10 Gig? SmartNA 10G Filtering Aggregating TAP

SHARKFEST '09 | Stanford University | June 15–18, Gbps is a LOT of Data 10,000,000,000 bps – Ten billion bits per second ~2.4 Million packets per second of 1,024 byte packets – 1,197,000+ per direction ~29 Million packets per second of 64 byte packets – 14,880,000+ packets per second per direction

SHARKFEST '09 | Stanford University | June 15–18, 2009 Challenges and Limitations Capture devices do not keep up with 10G traffic – Limited capture bandwidth – Custom NICs are EXPENSIVE and still dropping packets under load – No real-time information 10G monitoring tools are very expensive – e.g. ranging from $50K to $150K and beyond

SHARKFEST '09 | Stanford University | June 15–18, 2009 WireShark on a Laptop? … Good, But WireShark on a laptop is invaluable But performance of receive, capture and analysis is limited 10Gbps link would exhaust the memory in a second … Not strong enough to sustain capturing and analysis at high rate

SHARKFEST '09 | Stanford University | June 15–18, 2009 Simple and Effective Solution Limit your WireSharking to relevant traffic subset only Selectively filter according to header fields AND payload content as needed On-the-fly second by second visibility to network behavior and Key Performance Indicators Intuitive graphs and visualization

SHARKFEST '09 | Stanford University | June 15–18, 2009 How Well Do You Know Your Network? Are your 10G links fully utilized? – What types of traffic are dominant? – How about spikes and micro-bursts? Can you analyze every bit or event today? – How do you access data remotely? WireShark cant handle 10 Gbps of data "If you can not measure it, you can not improve it - Lord Kelvin

SHARKFEST '09 | Stanford University | June 15–18, 2009 How to Get the Relevant Traffic? Built-in access to network traffic is essential How do you pull out network traffic – TAP (traffic access point) – SPAN/mirror port But you need only the relevant network traffic … Feed WireShark only filtered traffic

SHARKFEST '09 | Stanford University | June 15–18, 2009 Flexible Filtering at 10 Gigabits Filter by: – MAC addresses – VLAN ranges – IP address ranges – Protocol types – QoS level – Port ranges – Advanced pattern matching (Layer 2-7)

SHARKFEST '09 | Stanford University | June 15–18, 2009 Easy-to-use, Exact, Guaranteed True parsing of the protocol header stack – Automatic header skipping Flexible Complete Packet Inspection filters – Non-anchored/anchored patterns – Case sensitive/insensitive searches Easy incremental provisioning – Simple browser form and a command line

SHARKFEST '09 | Stanford University | June 15–18, 2009 Flexible Filtering, Mirroring, Bandwidth Reduction Two 10Gbps full-duplex Data Interfaces (A and B) Two Transmit-only 10 Gbps Duplicate Interfaces (1 and 2) Two Transmit-only 1Gbps Duplicate Interfaces (3 and 4) Aggregation, reduction, time stamping ( S), and forwarding over UDP One management/configuration interface for provisioning and reports MONITORINGOUTPUTMANAGEMENT DISPLAY LINK/ACTIVITY STATUS POWER CONTROL PAD

SHARKFEST '09 | Stanford University | June 15–18, 2009 Key Features Smart TAP: Two 10 GigE data + two 10G dup + two 1G dup – Integrated fiber bypass - zero risk passive deployment in line Duplicating and filtering traffic to 10G and 1G smart ports – Bandwidth reduction and remote forwarding of specific traffic Selective filtering according to headers and payload patterns – True packet header parsing and pattern search anywhere in payload Microsecond accurate time stamp for delay & jitter analysis

SHARKFEST '09 | Stanford University | June 15–18, 2009 Key Features Visualization, aggregation, and correlation of performance info – Second by second network behavioral information – Performance metrics – not just raw packets Burst capture – Sample packets and retrieve as pcap from any web browser – Narrow down on specific packet types as necessary Detailed and 100% accurate counters of packets and bytes – Accurate performance break-down at one second resolution

SHARKFEST '09 | Stanford University | June 15–18, 2009 SmartNA TAP Deployment

SHARKFEST '09 | Stanford University | June 15–18, 2009 Performance Visualization and Behavioral Analysis Performance monitoring on-the-fly Aggregation, correlation, visualization Built-in and user-defined graphs Export data in CSV to Excel, SQL, … View remotely over web browser

SHARKFEST '09 | Stanford University | June 15–18, 2009 SmartNA 10G TAP Web-based reporting with detailed counters and statistics Current, statistical (min, max, mean, std dev), cumulative All counters accurate to the bit 30 Built-in profiles and 16 user-defined profiles Break down to major protocol groups, TCP events, TCP window sizes

SHARKFEST '09 | Stanford University | June 15–18, 2009 Example: Filtering & Duplicating Specific Traffic Example: filter incoming web traffic (from port 80) to subnet /24 and duplicate from Live Port A to Duplicate Port 1 – Open simple form by pointing Web browser to cTap management IP address – Define subnet filter is IPv4 destination by using CIDR mask ( /24) – Select TCP protocol from pull down and set sport to 80 – Activate filter and monitor rate of packets and bytes matching the profile

SHARKFEST '09 | Stanford University | June 15–18, 2009 Example: On-the-Fly Pattern Search at 10G Line Rate Simple web browser configuration Select string match template Set payload field to confidential Select IGNORECASE (case insensitive) Activate the filter Monitor rate of packets and bytes matching the profile

SHARKFEST '09 | Stanford University | June 15–18, 2009 Example: need to filter all packets with Confidential in payload based on pattern search